Robust Authentication Proxying
Philip Molter
hrunting at hrunting.org
Fri Jul 10 17:24:17 CEST 2009
Alan and Ivan,
Thanks for your patience with this. I'm migrating from an old RADIUS
platform that supports this behavior to freeradius, and I'm just trying
to make sure I get everything working.
Ivan Kalik wrote:
>> rad_recv: Access-Request packet from host 127.0.0.1 port 39091, id=56,
>> length=59
>> Ignoring retransmit from client SERVERS port 39091 - ID: 56, no reply
>> was configured
>
> I can see your point. You would like to argue that the request should be
> taken of the list even if no response was configured - since server didn't
> respond because of the do_not_respond policy. I am not sure that can be
> made to work.
What I really want is just, instead of the request being marked as
failed when one of the home servers doesn't respond, for the proxy
subsystem to just try sending the request to another configured home
server. If the proxy has tried sending a request to every non-zombie
home server in the list and still hasn't gotten anything, then it can
mark the request as failed.
The way I originally thought it was going to work is similar to how
modules are load-balanced. If I have five SQL servers loaded through 5
named SQL module configs, it will try the first, then the second, then
the third until one of them returns success. It would be great if the
proxy load-balancing could work the same way.
Philip
More information about the Freeradius-Users
mailing list